Security

Hello Community,

I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server

But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No


sw-1# debug destination session
sw-1# debug cppm

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

Regards

This is a known issue, that is expected to be fixed in 6.10.1. The RSA certificate has moved with the introduction of ECC certificates to https-root-rsa.pem, but breaks the automatic download of the root trust-anchor.

As a workaround, install the trust anchor through your management platform (Central, Airwave, etc), till ClearPass 6.10.1 is out. After that fix, with a disabled ECC, the RSA root will be available as https-root.pem as well, which will resolve the issue you have now.

If it really impacts your implementation, you could reach out to Aruba Support, and ask them to copy the https-root-rsa.pem to https-root.pem as well through support access.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 30, 2021 02:52 AM
From: Steffen Ikert
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

Hello Community,

I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server

But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No


sw-1# debug destination session
sw-1# debug cppm

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

Regards

Hello Herman,
thanks for your answer. I opened a TAC Case and they copied the root certificate files.
Now it works for me :-)

------------------------------
Steffen Ikert
------------------------------

Original Message:
Sent: Jun 30, 2021 10:16 AM
From: Herman Robers
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

This is a known issue, that is expected to be fixed in 6.10.1. The RSA certificate has moved with the introduction of ECC certificates to https-root-rsa.pem, but breaks the automatic download of the root trust-anchor.

As a workaround, install the trust anchor through your management platform (Central, Airwave, etc), till ClearPass 6.10.1 is out. After that fix, with a disabled ECC, the RSA root will be available as https-root.pem as well, which will resolve the issue you have now.

If it really impacts your implementation, you could reach out to Aruba Support, and ask them to copy the https-root-rsa.pem to https-root.pem as well through support access.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jun 30, 2021 02:52 AM
From: Steffen Ikert
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

Hello Community,

I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server

But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No


sw-1# debug destination session
sw-1# debug cppm

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

Regards

i open SR with HPE they keep said it my own cacert server,  but after i follow your info disable the ECC and my cert show up full info but it still show not secure,  i cannot figure it out why it doing that root and my intermidia it in the trust list.  any help?
Original Message:
Sent: Jun 30, 2021 02:52 AM
From: Steffen Ikert
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

Hello Community,

I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server

But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No


sw-1# debug destination session
sw-1# debug cppm

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

Regards

Is this for the Root CA download from ClearPass by your ArubaOS Switch?

If you are on CPPM 6.10.0, upgrade to CPPM 6.10.6 and see if that resolves the issue.

Otherwise, please open a new discussion and include what certificates you installed (screenshots) and where you see the 'not secure' message (screenshot).

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jul 12, 2022 12:28 PM
From: anthony nguyen
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

i open SR with HPE they keep said it my own cacert server,  but after i follow your info disable the ECC and my cert show up full info but it still show not secure,  i cannot figure it out why it doing that root and my intermidia it in the trust list.  any help?
Original Message:
Sent: Jun 30, 2021 02:52 AM
From: Steffen Ikert
Subject: ClearPass 6.10 ECC / RSA certificate issue with automated switch CA download

Hello Community,

I installed a ClearPass Cluster with Version 6.10.0 (fresh installation - no upgrade).
I have an internal PKI (Root CA, Sub CA) for my environment.
After installation of my 2 ClearPass Servers I created a signing request for an RSA cetificate and I imported this signed certificate into my ClearPass Servers. I also added the Root and Sub CA Certificates to the Trust List of both Servers - everthing is fine.
Since ClearPass 6.10.0 has ECC certificates enabled per default, I disabled the (self signed) ECC certificate on both servers, so that ClearPass should use the RSA certificate which is signed from my SubCA.
This worked without problems, when I use a browser and go to my ClearPass Servers, I get presented the RSA certificates. Next I created an user with role api-admin.

Now I want my aruba 2930M (WC_16_10_0015) Switches to connect with ClearPass an dowload the CA with the command:
crypto ca-download usage clearpass retry 3
I the log I can see, the switch tries to download the certificate
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.12 server
I 06/30/21 08:31:31 05811 CADownload: ST1-CMDR: Successfully downloaded the
certificate from 10.51.0.11 server

But when I look at the CA certs, I see the status "Pending Root Certificate Installation..."
sw-1# show crypto pki ta-profile
Profile Name Profile Status CRL Configured OCSP Configured
--------------- ------------------------------ --------------- ---------------
IDEVID_ROOT Root Certificate Installed
COMODO_RSA_CA Root Certificate Installed No No
default Self-signed Certificate Ins... No No
GEOTRUST_CA Root Certificate Installed No No
ARUBA_CA Root Certificate Installed No No
CP-VM01 Pending Root Certificate In... No No
cp-vm02 Pending Root Certificate In... No No


sw-1# debug destination session
sw-1# debug cppm

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.52 CPPM mcppmTask:Clearpass CA download request to :
http://10.51.0.12/.well-known/aruba/clearpass/https-root.pem

0004:17:57:05.53 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded the certificate from 10.51.0.11 server

0004:17:57:05.55 CPPM mcppmTask:Failed to install the Certificate

I 06/30/21 08:37:31 05811 CADownload: ST1-CMDR: Successfully downloaded thecertificate from 10.51.0.12 server

When I browse the URL http://10.51.0.11/.well-known/aruba/clearpass/https-root.pem I can see a certifacte. But this is the Self signed ECC certificate which I turned off.

Is the an option to change this behavior so ClearPass ist presenting the RSA Certificate and the Root CA instead of the self signed ECC certificate?

In my installation with CP 6.8 and 6.9 that worked without problems, but there were no ECC certificates

Regards